security evaluation of dual- stack systems€¦ · motivation 3/15/2016 #6 „this simply means...
TRANSCRIPT
www.ernw.de
Security Evaluation of Dual-Stack Systems
Troopers 2016
Patrik Fehrenbach
Prof Dr. Friedbert Kaspar / Dipl. Ing. (BA) Christopher Scheuring
www.ernw.de
Disclaimer¬ There will be a lot of
numbers,charts....
¬ They could be wrong
¬ ...I did my best so they are not
3/15/2016 #2
www.ernw.de
Talk Roadmap¬ About dualstack
¬ Motivation
¬ Previous work
¬ Results
¬ Conclusion
3/15/2016 Thesis Presentation #3
www.ernw.de
About Dualstack
3/15/2016 Thesis Presentation #4
Dual-StackDomain: Google.com
IPv6 : 2a00:1450:400a:805::1008{...}
IPv4: 109.193.193.104{...}
Security?
www.ernw.de
Motivation
¬ RFC 7381 -Enterprise IPv6 Deployment Guidelines
3/15/2016 Thesis Presentation #5
„It should be noted that in a dual-stack network,
the security implementation for both IPv4 and
IPv6 needs to be considered, in addition to
security considerations related to the interaction
of (and transition between) the two, while they
coexist.“
www.ernw.de
Motivation
3/15/2016 #6
„This simply means that all routers and hosts operating in a
dual-stack environment with both protocol families enabled
(even if by default) must have a congruent security policy for
both protocol versions. For example, permit TCP ports 80
and 443 to all web servers and deny all other ports to the
same servers must be implemented both for IPv4 and IPv6.“
¬ RFC 7381 -Enterprise IPv6 Deployment Guidelines
www.ernw.de
Well...
3/15/2016 #7
What if they haven‘t?
www.ernw.de
Attack scenario
3/15/2016 #8
Port:804438080222321
62.159.96.70
2003:60:4010:1090::13
Portscan IPv4
80,443
Portscan IPv6
21,22,23,80,8080,443
www.ernw.de
How?
¬ 1. Write a script
¬ 2. Get a list of domains
¬ 3. Scan them
¬ 4. Store them
¬ 5. Analyse them
3/15/2016 #9
www.ernw.de
Getting a list of suitable Targets
¬ Alexa Top 1 Million
¬ Frequently used
¬ (should) be wellmaintained
¬ CSV
3/15/2016 #10
1,google.com2,facebook.com3,youtube.com4,baidu.com5,yahoo.com{...}
www.ernw.de
Let‘s sum it up
¬ 1 Million Domains
¬ Full TCP Port Scan (65535 Ports)
¬ Version detection
¬ Product detection
3/15/2016 #11
www.ernw.de
Procedure
3/15/2016 Thesis Presentation #12
Server with MySQL Database
Scanner.py
Alexa Top 1 Million
{Google.com},{Facebook.com}
...
socket.getaddrinfo()
IPv6 IPv4
Port,Service,Version Port,Service,Version
Insert domain, IPv4, Port, Service, Version
Insert domain, IPv4, Port, Service,Version nmap.threadnmap.thread
www.ernw.de
Ethical Considerations
¬ We have responded to every abuse mail
¬ We only used RFC compliant SYN-ACK packets
¬ We believe this research contributes to IPv6 security
¬ We want to make the world a safer place
3/15/2016 #13
www.ernw.de
Results (Some Numbers)
3/15/2016 Thesis Presentation #14
57,168 Domains
114,336 IP Adresses
976,998 Open Ports (IPv4&IPv6)
___________________________
1,148,502 Total Datasets
204,877 Open Ports on IPv6
- 102840 (80,443)
772,121 Open Ports on IPv4
- 106409 (80,443)
www.ernw.de
Parity (same amount of ports on IPv4 & IPv6)
3/15/2016 #15
www.ernw.de
Discrepancies
3/15/2016 #16
Deviant amount ofPorts
More on IPv6 compared to IPv4
More on IPv4 compared to IPv6
www.ernw.de
Cloudflare
¬ About 40% of the found IPv6 addresses belong to CF
¬ Only Web-Ports open (80,443,8080)
¬ Excluded from the statistics
3/15/2016 #17
www.ernw.de
Most used Ports on IPv6
3/15/2016 #18
www.ernw.de
Most used Ports on IPv4
3/15/2016 #19
www.ernw.de
Most targeted Ports by Akami Technologies
3/15/2016 Thesis Presentation #20
www.ernw.de
Results on this Research
3/15/2016 Thesis Presentation #21
www.ernw.de
Percentage
3/15/2016 #22
www.ernw.de
Results (Telnet on IPv4/IPv6)
3/15/2016 Thesis Presentation #23
IPv6 ->
<- IPv4
www.ernw.de
Results (SQL-Servers on IPv4/IPv6)
3/15/2016 #24
www.ernw.de
Looking a bit closer: MySQL
3/15/2016 #25
*MariaDB version numbers follow the MySQL'snumbering scheme up to version 5.5.
www.ernw.de
Results (SSH-Servers on IPv4/IPv6
3/15/2016 #26
www.ernw.de
Looking a bit closer : OpenSSH
3/15/2016 #27
www.ernw.de
Recommandation
¬ Always check both IPv4 and IPv6
¬ Check yourself using our script (soon on github.com)
¬ Check your security devices for IPv6 support
3/15/2016 #28
www.ernw.de
Conclusion
¬ IPv4 Ports are about six times more open as they are on IPv6
¬ 40% of the dual-stack hosts belong to Cloudflare CDN
¬ There is a higher Patch-Level of MySQL on IPv6
¬ Potentially vulnerable Ports are more likely to find on IPv4
¬ IPv6 is there and use it
3/15/2016 #29
www.ernw.de
Don‘t forget to lock the Backdoor (Dec. 2015)
Mark Allman
3/15/2016 #30
www.ernw.de
Questions?
3/15/2016 #31
@itsecurityguard https://www.insinuator.net/